Threat Detection — Concept (GuardDuty, Inspector, Macie, Detective, Security Hub)
Why this group
SAA-C03 expects you to pick the right detection / posture / compliance service from a small catalog. Memorize the one-line purpose of each.
GuardDuty
- Threat detection for AWS accounts using ML on:
- CloudTrail events
- VPC Flow Logs
- Route 53 DNS query logs
- Optional: S3 Protection, EKS Audit, Malware Protection, RDS Protection, Lambda Protection
- Detects: crypto-mining, port scans, unusual API calls, IAM key compromise, malware in EBS volumes.
- Findings stream to EventBridge → automated response (e.g. isolate instance via SG change).
- One click in console; no agents needed.
Amazon Inspector
- Vulnerability scanner for:
- EC2 instances (CVEs in OS packages, network reachability)
- Container images in ECR
- Lambda functions (dependencies)
- Uses SSM Agent on EC2.
- Continuous, automated; integrates with Security Hub.
- Replaces older "Inspector v1".
Amazon Macie
- Data security & privacy for S3.
- Uses ML + pattern matching to find PII / sensitive data (credit cards, SSNs, secrets) in S3 buckets.
- Reports on bucket security posture (public, encryption).
Amazon Detective
- Investigation tool that builds graph relationships from CloudTrail, VPC Flow, GuardDuty.
- "Drill into" a finding to see related activity.
- Helps after GuardDuty raises a finding.
AWS Security Hub
- Aggregator for findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, third-party tools.
- Runs standards checks (CIS, PCI, AWS Foundational Best Practices).
- Cross-account via Organizations.
Other tangential
- IAM Access Analyzer — finds resources shared outside your account / org (S3 buckets, KMS keys, roles).
- AWS Trusted Advisor — cost, perf, security, fault tolerance, service-limit checks (limited free, full with Business/Enterprise support).
- AWS Audit Manager — audit evidence collection for compliance frameworks.
Pick the right one (very common exam question)
| Need | Service |
|---|---|
| Detect malicious activity in account | GuardDuty |
| Scan EC2 / containers / Lambda for CVEs | Inspector |
| Find PII in S3 | Macie |
| Investigate root cause of finding | Detective |
| Aggregate findings + compliance standards | Security Hub |
| Find resources shared externally | IAM Access Analyzer |
| Generic best-practice recommendations | Trusted Advisor |
| Evidence collection for SOC2/PCI | Audit Manager |
Common exam scenarios
- "Detect EC2 doing crypto-mining" → GuardDuty (port + DNS heuristic).
- "Find AMI vulnerabilities before deploying" → Inspector scans ECR / EC2 / Lambda.
- "Identify S3 buckets containing customer PII" → Macie.
- "Aggregate security findings across 30 accounts" → Security Hub with Organizations.
- "Investigate when GuardDuty alerts — what else did that key do?" → Detective.
- "Auto-quarantine an instance with malware finding" → GuardDuty → EventBridge → Lambda changes SG.
Exam tip
- Account behavior → GuardDuty.
- Code / OS vulnerabilities → Inspector.
- Data discovery in S3 → Macie.
- Investigate → Detective.
- Aggregate → Security Hub.